AWSResilienceHubV2AssessmentExecutionPolicy Policy updates

AWS managed policies for Next generation Resilience Hub

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.

Topics

AWSResilienceHubV2AssessmentExecutionPolicy
Next generation Resilience Hub updates to AWS managed policies

AWSResilienceHubV2AssessmentExecutionPolicy

You can attach the AWSResilienceHubV2AssessmentExecutionPolicy to your IAM identities. While running an assessment, this policy grants read-only access permissions to other AWS services for resilience discovery, assessment, and management.

Permission details

This policy grants wildcarded read-only permissions that might include sensitive information in the output.

This policy includes the following permissions:

Amazon CloudWatch (CloudWatch) – Provides Describe, Get, and List permissions for CloudWatch resources that are associated with your AWS account.
AWS CloudFormation – Provides Describe, Get, and List permissions for AWS CloudFormation resources that are associated with your AWS account.
Amazon Elastic Compute Cloud (Amazon EC2) – Provides specific Describe permissions for Amazon EC2 resources that are associated with your AWS account.
Amazon Elastic Container Service (Amazon ECS) – Provides Describe and List permissions for Amazon ECS resources that are associated with your AWS account.
Amazon Elastic Kubernetes Service (Amazon EKS) – Provides Describe and List permissions for Amazon EKS resources that are associated with your AWS account.
Amazon Elastic Container Registry (Amazon ECR) – Provides Describe permissions for Amazon ECR resources that are associated with your AWS account.
Amazon Elastic File System (Amazon EFS) – Provides Describe permissions for Amazon EFS resources that are associated with your AWS account.
Amazon ElastiCache (ElastiCache) – Provides Describe permissions for ElastiCache resources that are associated with your AWS account.
Elastic Load Balancing – Provides Describe permissions for Elastic Load Balancing resources that are associated with your AWS account.
Amazon DynamoDB (DynamoDB) – Provides Describe and List permissions for DynamoDB resources that are associated with your AWS account.
Amazon RDS – Provides Describe permissions for Amazon RDS resources that are associated with your AWS account.
Amazon DocumentDB – Provides Describe and List permissions for Amazon DocumentDB resources that are associated with your AWS account.
AWS Lambda (Lambda) – Provides specific Get and List permissions for Lambda resources that are associated with your AWS account.
AWS Step Functions – Provides Describe and List permissions for AWS Step Functions resources that are associated with your AWS account.
IAM – Provides specific Get and List permissions for IAM resources that are associated with your AWS account.
Amazon Simple Notification Service (Amazon SNS) – Provides Get and List permissions for Amazon SNS resources that are associated with your AWS account.
Amazon Simple Queue Service (Amazon SQS) – Provides Get and List permissions for Amazon SQS resources that are associated with your AWS account.
Amazon Simple Storage Service (Amazon S3) – Provides Get and List permissions for Amazon S3 resources that are associated with your AWS account. The Amazon S3 permissions in the AWSResilienceHubS3AccessStatement are restricted to resources in the same account by using the aws:ResourceAccount condition key.
Amazon Route 53 (Route 53) – Provides Get and List permissions for Route 53 resources, including Route 53 Application Recovery Controller resources, that are associated with your AWS account.
Amazon EC2 Systems Manager (SSM) – Provides Describe and Get permissions for SSM resources that are associated with your AWS account.
Amazon EC2 Auto Scaling – Provides Describe permissions for Amazon EC2 Auto Scaling resources that are associated with your AWS account.
AWS Backup – Provides Describe, Get, and List permissions for AWS Backup resources that are associated with your AWS account.
AWS Elastic Disaster Recovery (Elastic Disaster Recovery) – Provides Describe permissions for Elastic Disaster Recovery resources that are associated with your AWS account.
AWS Fault Injection Service (AWS FIS) – Provides Get and List permissions for AWS FIS experiments and experiment templates that are associated with your AWS account.
Amazon FSx for Windows File Server (Amazon FSx) – Provides Describe permissions for Amazon FSx resources that are associated with your AWS account.
Amazon Data Lifecycle Manager – Provides Get permissions for Amazon Data Lifecycle Manager resources that are associated with your AWS account.
AWS DataSync – Provides Describe and List permissions for AWS DataSync resources that are associated with your AWS account.
AWS Resource Groups (Resource Groups) – Provides Get and List permissions for Resource Groups resources that are associated with your AWS account.
AWS Service Catalog (Service Catalog) – Provides Get and List permissions for Service Catalog resources that are associated with your AWS account.
Amazon API Gateway – Provides GET permissions scoped to specific resource ARN patterns for REST APIs, HTTP APIs, usage plans, and domain names.
Amazon Kinesis – Provides Describe and List permissions for Kinesis resources that are associated with your AWS account.
Amazon Kinesis Data Firehose – Provides Describe and List permissions for Kinesis Data Firehose resources that are associated with your AWS account.
Amazon EventBridge – Provides Describe and List permissions for EventBridge resources that are associated with your AWS account.
Amazon MSK – Provides Describe, Get, and List permissions for Amazon MSK and MSK Connect resources that are associated with your AWS account.
Amazon MemoryDB – Provides Describe permissions for MemoryDB resources that are associated with your AWS account.
Amazon Redshift – Provides Describe permissions for Redshift resources that are associated with your AWS account.
AWS Global Accelerator – Provides Describe and List permissions for Global Accelerator resources that are associated with your AWS account.
AWS Network Firewall – Provides Describe and List permissions for Network Firewall resources that are associated with your AWS account.
AWS Shield – Provides Describe and List permissions for Shield resources that are associated with your AWS account.
AWS WAF V2 – Provides Get and List permissions for WAF V2 resources that are associated with your AWS account.
AWS Resource Access Manager – Provides Get and List permissions for RAM resources that are associated with your AWS account.
Amazon VPC Lattice – Provides Get and List permissions for VPC Lattice resources that are associated with your AWS account.
AWS Config – Provides Describe and List permissions for Config resources that are associated with your AWS account.
Amazon CloudFront – Provides Get and List permissions for CloudFront resources that are associated with your AWS account.
AWS Secrets Manager – Provides Describe and List permissions for Secrets Manager resources that are associated with your AWS account.
AWS Directory Service – Provides Describe permissions for Directory Service resources that are associated with your AWS account.
Amazon DSQL – Provides Get and List permissions for DSQL resources that are associated with your AWS account.
Amazon QLDB – Provides Describe and List permissions for QLDB resources that are associated with your AWS account.
AWS Certificate Manager – Provides Describe, Get, and List permissions for ACM resources that are associated with your AWS account.
Application Auto Scaling – Provides Describe permissions for Application Auto Scaling resources that are associated with your AWS account.
SSM Incidents – Provides Get and List permissions for SSM Incidents resources that are associated with your AWS account.
Tag – Provides GetResources permission for querying tagged resources that are associated with your AWS account.

The following IAM policy provides required permissions for Next generation Resilience Hub to access other AWS services while running assessments.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSResilienceHubV2ReadResourceConfigStatement",
            "Effect": "Allow",
            "Action": [
                "acm:DescribeCertificate",
                "acm:GetCertificate",
                "acm:ListCertificates",
                "application-autoscaling:DescribeScalableTargets",
                "application-autoscaling:DescribeScalingPolicies",
                "arc-region-switch:GetRegionSwitchStatus",
                "arc-region-switch:ListRegionSwitchAZSummaries",
                "arc-zonal-shift:GetManagedResource",
                "arc-zonal-shift:ListManagedResources",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "backup:DescribeBackupVault",
                "backup:GetBackupPlan",
                "backup:GetBackupSelection",
                "backup:ListBackupPlans",
                "backup:ListBackupSelections",
                "cloudformation:DescribeStacks",
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudfront:GetDistribution",
                "cloudfront:ListDistributions",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricData",
                "cloudwatch:ListMetrics",
                "config:DescribeConfigRules",
                "config:ListDiscoveredResources",
                "datasync:DescribeTask",
                "datasync:ListLocations",
                "datasync:ListTasks",
                "dlm:GetLifecyclePolicies",
                "dlm:GetLifecyclePolicy",
                "docdb-elastic:GetCluster",
                "docdb-elastic:ListClusters",
                "drs:DescribeJobs",
                "drs:DescribeSourceServers",
                "drs:GetReplicationConfiguration",
                "ds:DescribeDirectories",
                "dsql:GetCluster",
                "dsql:ListClusters",
                "dynamodb:DescribeContinuousBackups",
                "dynamodb:DescribeGlobalTable",
                "dynamodb:DescribeTable",
                "dynamodb:ListGlobalTables",
                "dynamodb:ListTagsOfResource",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeFastSnapshotRestores",
                "ec2:DescribeFleets",
                "ec2:DescribeInstances",
                "ec2:DescribeNatGateways",
                "ec2:DescribeRegions",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcs",
                "ecr:DescribeRepositories",
                "ecs:DescribeCapacityProviders",
                "ecs:DescribeClusters",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeServices",
                "ecs:DescribeTaskDefinition",
                "ecs:ListContainerInstances",
                "ecs:ListServices",
                "eks:DescribeCluster",
                "eks:DescribeFargateProfile",
                "eks:DescribeNodegroup",
                "eks:ListFargateProfiles",
                "eks:ListNodegroups",
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeGlobalReplicationGroups",
                "elasticache:DescribeReplicationGroups",
                "elasticache:DescribeSnapshots",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargets",
                "elasticfilesystem:DescribeReplicationConfigurations",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "events:DescribeEventBus",
                "events:DescribeRule",
                "events:ListRules",
                "events:ListTargets",
                "firehose:DescribeDeliveryStream",
                "firehose:ListDeliveryStreams",
                "fis:GetExperiment",
                "fis:GetExperimentTemplate",
                "fis:ListExperimentTemplates",
                "fis:ListExperiments",
                "fsx:DescribeFileSystems",
                "globalaccelerator:DescribeAccelerator",
                "globalaccelerator:DescribeEndpointGroup",
                "globalaccelerator:DescribeListener",
                "globalaccelerator:ListAccelerators",
                "globalaccelerator:ListEndpointGroups",
                "globalaccelerator:ListListeners",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "kafka:DescribeCluster",
                "kafka:DescribeClusterV2",
                "kafka:GetBootstrapBrokers",
                "kafka:ListClusters",
                "kafka:ListClustersV2",
                "kafkaconnect:DescribeConnector",
                "kafkaconnect:ListConnectors",
                "kinesis:DescribeStream",
                "kinesis:ListStreams",
                "lambda:GetFunctionConcurrency",
                "lambda:GetFunctionConfiguration",
                "lambda:ListAliases",
                "lambda:ListEventSourceMappings",
                "lambda:ListFunctionEventInvokeConfigs",
                "lambda:ListVersionsByFunction",
                "memorydb:DescribeClusters",
                "memorydb:DescribeMultiRegionClusters",
                "network-firewall:DescribeFirewall",
                "network-firewall:DescribeFirewallPolicy",
                "network-firewall:ListFirewallPolicies",
                "network-firewall:ListFirewalls",
                "qldb:DescribeLedger",
                "qldb:ListLedgers",
                "ram:GetResourceShareAssociations",
                "ram:ListResources",
                "rds:DescribeDBClusterSnapshots",
                "rds:DescribeDBClusters",
                "rds:DescribeDBInstanceAutomatedBackups",
                "rds:DescribeDBInstances",
                "rds:DescribeDBProxies",
                "rds:DescribeDBSnapshots",
                "rds:DescribeGlobalClusters",
                "redshift:DescribeClusterSnapshots",
                "redshift:DescribeClusters",
                "resource-groups:GetGroup",
                "resource-groups:ListGroupResources",
                "route53:GetHealthCheck",
                "route53:GetHostedZone",
                "route53:ListHealthChecks",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets",
                "route53-recovery-control-config:ListClusters",
                "route53-recovery-control-config:ListControlPanels",
                "route53-recovery-control-config:ListRoutingControls",
                "route53-recovery-readiness:GetReadinessCheckStatus",
                "route53-recovery-readiness:GetResourceSet",
                "route53-recovery-readiness:ListReadinessChecks",
                "route53resolver:ListFirewallRuleGroupAssociations",
                "route53resolver:ListResolverEndpoints",
                "route53resolver:ListResolverRules",
                "s3:ListBucket",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecrets",
                "servicecatalog:GetApplication",
                "servicecatalog:ListAssociatedResources",
                "shield:DescribeProtection",
                "shield:ListProtections",
                "sns:GetTopicAttributes",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "sqs:GetQueueAttributes",
                "sqs:ListQueues",
                "ssm:DescribeAutomationExecutions",
                "ssm:GetDocument",
                "ssm:GetParametersByPath",
                "ssm-incidents:GetResponsePlan",
                "ssm-incidents:ListReplicationSets",
                "ssm-incidents:ListResponsePlans",
                "states:DescribeStateMachine",
                "states:ListStateMachines",
                "tag:GetResources",
                "vpc-lattice:GetService",
                "vpc-lattice:GetServiceNetwork",
                "vpc-lattice:GetTargetGroup",
                "vpc-lattice:ListServices",
                "vpc-lattice:ListServiceNetworks",
                "vpc-lattice:ListTargetGroups",
                "wafv2:GetWebACL",
                "wafv2:ListWebACLs"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AWSResilienceHubApiGatewayStatement",
            "Effect": "Allow",
            "Action": [
                "apigateway:GET"
            ],
            "Resource": [
                "arn:aws:apigateway:*::/apis/*",
                "arn:aws:apigateway:*::/restapis/*",
                "arn:aws:apigateway:*::/usageplans",
                "arn:aws:apigateway:*::/domainnames/*"
            ]
        },
        {
            "Sid": "AWSResilienceHubS3AccessStatement",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketPolicy",
                "s3:GetBucketPolicyStatus",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetMultiRegionAccessPointRoutes",
                "s3:GetReplicationConfiguration",
                "s3:ListAllMyBuckets",
                "s3:ListMultiRegionAccessPoints"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "${aws:PrincipalAccount}"
                }
            }
        }
    ]
}

Next generation Resilience Hub updates to AWS managed policies

View details about updates to AWS managed policies for Next generation Resilience Hub since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Next generation Resilience Hub Document history page.

Change	Description	Date
AWSResilienceHubV2AssessmentExecutionPolicy – New policy	Next generation Resilience Hub added a new policy to grant read-only access permissions to other AWS services for resilience discovery, assessment, and management.	June 18, 2026
Next generation Resilience Hub started tracking changes	Next generation Resilience Hub started tracking changes for its AWS managed policies.	June 18, 2026

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Required IAM permissions and roles

Configuring AWS Organizations integration (optional)